![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 43%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,368 questions
I have followed below steps and was successfully able to find who executes which runbook. See if it helps you.
- As shown in below screenshot, configured diagnostic setting in Azure Automation account such that audit categorygroup or AuditEvent category is selected and destination is selected to send audit events to log analytics workspace.
- Then, executed a runbook from the same Azure Automation account and could see that the execution was completed as shown in below screenshot.
- As mentioned here, I have waited for ~15 minutes after the above event is performed so that logs can be streamed to the specified destinations. Then I could see the audit event as shown in below screenshot which has clientInfo_ObjectId_g property that holds object ID of the client who has executed the runbook and targetResources_JobId_g property that holds job ID of the runbook executed.
- Next I have used the object ID of the client who has executed the runbook that is mentioned at clientInfo_ObjectId_g property in Get-AzureADUser cmdlet to get name of the member who has executed the runbook and I have used the job ID that is mentioned at targetResources_JobId_g property in Get-AzAutomationJob cmdlet to get the name of the runbook. For illustration on how to use the cmdlets, please check below screenshot.
- Next, as we were able to get the information about who has executed the runbook and which runbook was executed after sending logs to Log Analytics workspace so all you have to do is, run the below code as a script or as another runbook to get details of who has executed a runbook and which runbook was executed in a given time frame.
Below is the code for the same which basically uses Invoke-AzOperationalInsightsQuery, Get-AzureADUser and Get-AzAutomationJob cmdlets. It's just a sample code and you may tweak it as per your needs.
$query = 'AzureDiagnostics | where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "AuditEvent"'
$queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId <LogAnalyticsWorkspaceID> -Query $query -Timespan (New-TimeSpan -Hours 24)
$JobID = $queryResults.Results.targetResources_JobId_g
$ClientObjectID = $queryResults.Results.clientInfo_ObjectId_g
$AAResourceGroupName = $queryResults.Results.ResourceGroup
$AAResourceName = $queryResults.Results.Resource
$AADUserDetails = Get-AzureADUser -ObjectId $ClientObjectID
$RunbookExecutedBy = $AADUserDetails.DisplayName
$AAJobDetails = Get-AzAutomationJob -Id $JobID -ResourceGroupName $AAResourceGroupName -AutomationAccountName $AAResourceName
$RunbookName = $AAJobDetails.RunbookName
$RunbookExecutedBy
$RunbookName
I have tried all this for Automation accounts and Log Analytics workspaces in various regions. If you still face issue then please let me know which region your Automation Account and Log analytics workspace are from, what's the pricing tier and access control mode of your Log Analytics workspace and any other information to explain the context and environment setup better so I can try to reproduce the issue by creating similar environment.
